Car Makers Don’t Know How to Prevent Hacking

Nearly all of the foreign and domestic cars on the market today are vulnerable to remote hacking of their internal systems, according to a new report.

As cars have become more sophisticated, they’ve also become more computerized. Vehicles contain more than 50 small computers controlling everything from steering to electronic systems, navigation and engine functions, all of which are routed through a central network that can be accessed wirelessly, the report says.

“The proliferation of these technologies raises concerns about the ability of hackers to gain access and control to the essential functions and features,” according to the report, which was released Monday by Sen. Ed Markey (D-MA).

The report also notes that car markers collect large amounts of data on driving habits and vehicle performance that’s later transmitted wirelessly to data centers without allowing car owners to opt out.

Markey sent letters to 20 major foreign and domestic car makers asking for their procedures to secure their technological systems. Of the 16 that responded, most “were unaware of or unable to report on past hacking incidents,” the report says. Only two car makers (not named in the report) were able to describe any kind of response to hacking incidents. One was able to put the car into a “fail safe” mode that would limit vehicle operation if malfunctions that could cause damage occur. The other has the option to safely slowdown and immobilize an impacted vehicle if it’s moving at the time of detection.

On the whole, the report claims: “Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard.”

Cars Can be Hacked, But What’s the Motivation?

Although the report is damning at first blush, don’t expect a sudden uptick of car hacking incidents. Infiltrating a car system is tedious work compared to hacking garden variety personal computers.

“Because the research effort is pretty great and very costly, a car [attack] would be very targeted,” Chris Valasek, director of Security Intelligence at IOActive told IEEE Spectrum magazine. Valasek and a partner presented their research on car hacking last year during a Black Hat security conference.

And one has to consider motivation as well. “Given the [monetary] motivation of most hackers, the chance of [automotive hacking] is very low,” George Mason computer science professor and car security expert DamonMcCoy told an SXSW panel last year.

Markey’s report ends by claiming the “alarmingly inconsistent and incomplete state of industry security and privacy practices,” raises the need for the government to issue new standards to protect “the data, security and privacy of drivers in the modern age of increasingly connected vehicles.”